Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps) CVE–2022–25887 #6664

Merged
merged 2 commits into from
Jan 26, 2024

Conversation

debricked[bot]
Copy link
Contributor

@debricked debricked bot commented Jan 26, 2024

CVE–2022–25887

Vulnerability details

Description

NVD

The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.

GitLab Advisory Database (Open Source Edition)

Inefficient Regular Expression Complexity

The package sanitize-html before 2.7.1 is vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.

CVSS details - 7.5

 

CVSS3 metrics
Attack Vector Network
Attack Complexity Low
Privileges Required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High
References

    NVD - CVE-2022-25887
    npm/sanitize-html/CVE-2022-25887.yml · main · GitLab.org / GitLab Advisory Database Open Source Edition · GitLab
    Regular Expression Denial of Service (ReDoS) in org.webjars.npm:sanitize-html | CVE-2022-25887 | Snyk
    Release 2.7.1 by boutell · Pull Request #557 · apostrophecms/sanitize-html · GitHub
    Merge pull request #557 from apostrophecms/release-2.7.1 · apostrophecms/sanitize-html@b4682c1 · GitHub
    Regular Expression Denial of Service (ReDoS) in sanitize-html | CVE-2022-25887 | Snyk
    GitHub - apostrophecms/sanitize-html: Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis. Built on htmlparser2 for speed and tolerance

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE

 

Copy link

cloudflare-workers-and-pages bot commented Jan 26, 2024

Deploying with  Cloudflare Pages  Cloudflare Pages

Latest commit: fee63fb
Status: ✅  Deploy successful!
Preview URL: https://867b3813.immich.pages.dev
Branch Preview URL: https://debricked-fix-cve-2022-25887.immich.pages.dev

View logs

@etnoy etnoy added the dependencies Pull requests that update a dependency file label Jan 26, 2024
@jrasm91 jrasm91 merged commit 33b3b80 into main Jan 26, 2024
24 of 25 checks passed
@jrasm91 jrasm91 deleted the debricked-fix-CVE_2022_25887-de47a6a33003c923 branch January 26, 2024 15:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants